[linux] apache is not being my friend today
Garrett Cooper
youshi10 at u.washington.edu
Fri Aug 12 16:38:15 PDT 2005
Jonathan Nicol wrote:
> Awesome, thanks. (On a side note, the text on this page doesn't render
> very well
> in Firefox on OS X.)
>
> --Jonathan
>
> Quoting Matthew Radey <marad at u.washington.edu>:
>
>> Garrett Cooper wrote:
>>
>>> Jonathan Nicol wrote:
>>>
>>>> Hi Matthew,
>>>>
>>>> This is some great info, thanks. Since this box is my
>>>> Apache/MySQL/PHP test box,
>>>> I'll play around with SElinux, and perhaps we'll start using it in
>>>> production at
>>>> some point. Quick question... after I turned it off, I just
>>>> rebooted to change
>>>> the policy (very "Windows", I know). Is there a better way?
>>>>
>>>> thanks
>>>> Jonathan
>>>>
>>>> Quoting Matthew Radey <marad at u.washington.edu>:
>>>>
>>>>> Jonathan Nicol wrote:
>>>>>
>>>>>> You, my friend, are a genius. SELinux was denying apache access
>>>>>> to asset's home
>>>>>> directory. Turned it off in /etc/sysconfig/selinux. Thanks a
>>>>>> million!
>>>>>>
>>>>>>
>>>>>> --Jonathan
>>>>>>
>>>>>>
>>>>>
>>>>> Cool. If you're interested in maximizing your security, let me
>>>>> recommend that you try turning SELinux back on. IMHO it really
>>>>> does make for a more secure Apache. Basically you'd do something
>>>>> like this:
>>>>>
>>>>> 1. Put SELinux in 'permissive' mode, so that it still logs the
>>>>> things it would block, but doesn't actually block them.
>>>>>
>>>>> 2. Observe the violations in the log to see which files and
>>>>> directories need to have their context changed.
>>>>>
>>>>> 3. Use 'ls -laZ' and 'chcon --reference' to make the necessary
>>>>> changes.
>>>>>
>>>>> 4. Test for more violations until you're not getting any, and then
>>>>> put SELinux back into 'enforcing' mode.
>>>>>
>>>>> You can find some good background on SELinux and Apache on Fedora
>>>>> here:
>>>>>
>>>>> http://fedora.redhat.com/docs/selinux-apache-fc3/
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matthew
>>>>
>>>>
>>>>
>>> Boot into single user mode and 'reboot' into multi-user mode :)?
>>> That's essentially the same as restarting though. Can't really do
>>> anything else I think since SELinux is such an integral part of the
>>> kernel... but then again I'm not really an expert on that.
>>> Garrett
>>
>>
>> Try this:
>>
>> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2826056
>>
>>
>> Matthew
>
Yeah, unfortunately CSS doesn't always work the way that it should...
-Garrett
More information about the Linux
mailing list